Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk lookup failing, even on itself
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eandres
Explorer
02-13-2025
11:43 AM
Running a lookup where I have verified the fields exist and match and its not returning an output field. So, I verified by running the lookup by itself and it still doesn't match. I have checked permissions, ran the search from the app it belongs to. I can view the lookup with "| inputlookup <name>".
Example running the lookup on itself:
| inputlookup myfile
| table a, b
| lookup myfile a OUTPUT b AS c
| table a, b, c
c always shows as empty for this one lookup
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eandres
Explorer
02-13-2025
12:49 PM
This is a time-based lookup, so if the _time in your event is not close enough to the time field in the lookup, it will not return a match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eandres
Explorer
02-13-2025
12:49 PM
This is a time-based lookup, so if the _time in your event is not close enough to the time field in the lookup, it will not return a match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eandres
Explorer
02-13-2025
12:07 PM
I believe this has something to do with the lookup having time_field set in the transforms.conf. e.g. "time_field = d"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
02-13-2025
12:54 PM
Hi @eandres
In Splunk, when defining a lookup within transforms.conf, the time_field parameter is used to specify a field in the lookup table that represents a timestamp. This allows Splunk to apply time-based filtering, ensuring that lookup results are relevant to the event’s timestamp
How to Troubleshoot and Fix
- Verify the format of timestamps in your lookup file and ensure time_format matches.
- Check if your events fall within the expected time range of the lookup.
- Test the lookup manually using | inputlookup my_lookup to confirm that timestamps are stored correctly.
- Remove time_field if time-based filtering is not required.
Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards
Will
Get Updates on the Splunk Community!
Splunk App Dev Community Updates – What’s New and What’s Next
Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...
The Latest Cisco Integrations With Splunk Platform!
Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Enterprise Security Content Update (ESCU) | New Releases
In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...
